Find user in AD LDAP

Question

I've came across the problem of building the filter for LDAP.

Few notes before the actual question:

Фамилия = Family Name (will be presented as FamilyName)  
Имя = Name (will be presented as Name)  
Отчество = Patronymic (will be presented as Patronymic)

I have a user with the following information in the AD:

CN=Фамилия Имя Отчество
sn=FamilyName
givenname=Name

I want to provide the following functionality:

1. User can either enter the Name FamilyName in the field on the website, this will result in the array of 2 filters for Name FamilyName and FamilyName Name '
2. User can enter Имя Фамилия and the search should switch from (&(sn=)(givenname=)) to (cn=)

Currently I have the following piece of code to accomplish the first option:

    /**
     * Generate search terms
     * @param string $query
     * @return LDAPSearcher
     */
    protected function generateSearchTerms(string $query) : self {
        $this->searchTerms = [];
        $explode = explode(' ', $query);
        $combinations = [];
        array_combinations($explode, $combinations);

        foreach($combinations as $index => $combination) {
            if (false !== strpos($combination, ' ')) {
                [$firstName, $lastName] = explode(' ', $combination);
                $this->searchTerms[] = [
                    'sn'        =>  $lastName,
                    'cn'        =>  $combination,
                    'givenname' =>  $firstName,
                    'filter'    =>  '(&(sn=' . $firstName . ')(givenname=' . $lastName . '))'
                ];
            }
        }

        return $this;
    }

And it works just fine when user using the Latin representation of his/her First and Last names, but when I want to switch to using CN, I have no idea on how to do it. I've tried the following piece of code for the filter, however it shows that filter is incorrect:

((&(sn=' . $firstName . ')(givenname=' . $lastName . '))|(cn=' . $combination . '*))

PS it DOES NOT matter which variables I assign to SN or GivenName, since the combinations will match the correct user anyways, I'm running at most 3 searches for each user to ensure that the correct one is found (just to eliminate possibility of answers with assigning correct values to variables)

PPS Combinations are generated using the following piece of code

if (! function_exists('array_combinations')) {

    function array_combinations(array $source, array &$target, ?string $tempString = null) {
        if ($tempString !== null) {
            $target[] = $tempString;
        }
        $size = \count($source);
        for ($i = 0; $i < $size; $i++) {
            $copy = $source;
            $element = array_splice($copy, $i, 1);
            $tmp = null;
            if ($tempString !== null) {
                $tmp = $tempString . ' ' . $element[0];
            } else {
                $tmp = $element[0];
            }
            if (\count($copy) > 0) {
                array_combinations($copy, $target, $tmp);
            } else {
                $target[] = $tmp;
            }
        }

    }

}

Answer 1

Your query is indeed invalid.

In LDAP query syntax, a "this OR that" condition is written as (|(this)(that)) . But you have put the | between your conditions. It needs to be at the front . It should look something like this:

(|(&(sn=' . $firstName . ')(givenname=' . $lastName . '))(cn=' . $combination . '*))